__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Speex Security Update
[Red Hat RHSA-2008:0235-4]
April 25, 2008 12:00 GMT Number S-272
[REVISED 29 May 2008]
______________________________________________________________________________
PROBLEM: The Speex library was found to not properly validate input
values read from the Speex files headers, which could allow
arbitrary code execution.
PLATFORM: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS, ES, WS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Debian GNU/Linux 4.0 (etch)
DAMAGE: DoS or execute arbitrary code.
SOLUTION: Upgrade to the appropriate version.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. An attacker could create a malicious Speex
ASSESSMENT: file that would crash an application or, possibly, allow
arbitrary code execution with the privileges of the application
calling the Speex library.
______________________________________________________________________________
CVSS 2 BASE SCORE: 7.5
TEMPORAL SCORE: 6.2
VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-272.shtml
ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0235.html
ADDITIONAL LINKS: http://www.debian.org/security/2008/dsa-1585
http://www.debian.org/security/2008/dsa-1584
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2008-1686
______________________________________________________________________________
REVISION HISTORY:
05/29/2008 - revised S-272 to add links to Debian Security Advisories DSA-1585-1
and DSA-1584-1 for Debian GNU/Linux 4.0 (etch).
[***** Start Red Hat RHSA-2008:0235-4 *****]
Important: speex security update
Advisory: RHSA-2008:0235-4
Type: Security Advisory
Severity: Important
Issued on: 2008-04-16
Last updated on: 2008-04-16
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080235.xml
CVEs (cve.mitre.org): CVE-2008-1686
Details
Updated speex packages that fix a security issue are now available for Red
Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
Speex is a patent-free compression format designed especially for speech.
The Speex package contains a library for handling Speex files and sample
encoder and decoder implementations using this library.
The Speex library was found to not properly validate input values read from
the Speex files headers. An attacker could create a malicious Speex file
that would crash an application or, possibly, allow arbitrary code
execution with the privileges of the application calling the Speex library.
(CVE-2008-1686)
All users of speex are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
Updated packages
RHEL Desktop Workstation (v. 5 client)
--------------------------------------------------------------------------------
IA-32:
speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f
x86_64:
speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f
speex-devel-1.0.5-4.el5_1.1.x86_64.rpm 90598b4597e624b29b6447c5e03a4701
Red Hat Desktop (v. 4)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb
IA-32:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4
x86_64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c
speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71
Red Hat Enterprise Linux (v. 5 server)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.5-4.el5_1.1.src.rpm bf3661e73017a6b54e8b629e257ea028
IA-32:
speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c
speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f
IA-64:
speex-1.0.5-4.el5_1.1.ia64.rpm b0113d1eeb3a07635ef0ad463c3a5ff9
speex-devel-1.0.5-4.el5_1.1.ia64.rpm 2b4e8504cf2590b9d9b5724eb92bdde4
PPC:
speex-1.0.5-4.el5_1.1.ppc.rpm 794d4c083965ea9b30c12768d12e9383
speex-1.0.5-4.el5_1.1.ppc64.rpm b63a2763f9ded78014eea1ddbdfa2abe
speex-devel-1.0.5-4.el5_1.1.ppc.rpm c0df12cad280c7d1984b4860ce34e2f8
speex-devel-1.0.5-4.el5_1.1.ppc64.rpm b0fdf703a4c460389e243e24ac1efbab
s390x:
speex-1.0.5-4.el5_1.1.s390.rpm ca3d6fbfadb8c97bc77ccd6c05e0c76e
speex-1.0.5-4.el5_1.1.s390x.rpm c9b763abb4d99260d1d179e8a3be6474
speex-devel-1.0.5-4.el5_1.1.s390.rpm 2398dab7f9fdfe54c24b2964c235a138
speex-devel-1.0.5-4.el5_1.1.s390x.rpm 31d521fa54360aaaa9e173d879e9b51e
x86_64:
speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c
speex-1.0.5-4.el5_1.1.x86_64.rpm 0af19186d828489ca323b05a6297c45b
speex-devel-1.0.5-4.el5_1.1.i386.rpm de7b31841265dceb0194a29b43600a0f
speex-devel-1.0.5-4.el5_1.1.x86_64.rpm 90598b4597e624b29b6447c5e03a4701
Red Hat Enterprise Linux AS (v. 4)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb
IA-32:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4
IA-64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a
speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396
PPC:
speex-1.0.4-4.el4_6.1.ppc.rpm 3eef98b41f28c83e0c7677a265d71f54
speex-1.0.4-4.el4_6.1.ppc64.rpm 9991a64d4c66902a1c1c33864cefd392
speex-devel-1.0.4-4.el4_6.1.ppc.rpm 9ecf3fd30881497a7f225113233d0df9
s390:
speex-1.0.4-4.el4_6.1.s390.rpm baaa440346a67dcf9e0b4c7481f27aa6
speex-devel-1.0.4-4.el4_6.1.s390.rpm 57b3e8a3efb40736e70a3a92acd4b395
s390x:
speex-1.0.4-4.el4_6.1.s390.rpm baaa440346a67dcf9e0b4c7481f27aa6
speex-1.0.4-4.el4_6.1.s390x.rpm 303afbd764a015caa30b0eb22d3f77ed
speex-devel-1.0.4-4.el4_6.1.s390x.rpm 56e2ab2e4ae5ec9edc9118dc71b0c397
x86_64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c
speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71
Red Hat Enterprise Linux Desktop (v. 5 client)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.5-4.el5_1.1.src.rpm bf3661e73017a6b54e8b629e257ea028
IA-32:
speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c
x86_64:
speex-1.0.5-4.el5_1.1.i386.rpm 2360abba1923b59b76939c513c98187c
speex-1.0.5-4.el5_1.1.x86_64.rpm 0af19186d828489ca323b05a6297c45b
Red Hat Enterprise Linux ES (v. 4)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb
IA-32:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4
IA-64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a
speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396
x86_64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c
speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71
Red Hat Enterprise Linux WS (v. 4)
--------------------------------------------------------------------------------
SRPMS:
speex-1.0.4-4.el4_6.1.src.rpm 0569bc09963ac90cc81ab477b94d5cdb
IA-32:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-devel-1.0.4-4.el4_6.1.i386.rpm a3af80221e3ed856efbb1b98860d5fc4
IA-64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.ia64.rpm f3d8b9563ec89805ecd34a7bec593f5a
speex-devel-1.0.4-4.el4_6.1.ia64.rpm 7d7ca9dc6cf9163673aa967045fae396
x86_64:
speex-1.0.4-4.el4_6.1.i386.rpm a10e6dbaafc06c4041821ccd5b5f1a29
speex-1.0.4-4.el4_6.1.x86_64.rpm 46daa064f7f708d20bffac8290fadf4c
speex-devel-1.0.4-4.el4_6.1.x86_64.rpm 2b80106aa0fb2a4a6d4dd239209aee71
(The unlinked packages above are only available from the Red Hat Network)
Bugs fixed (see bugzilla for more information)
441239 - CVE-2008-1686 speex, libfishsound: insufficient boundary checks
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1686
http://www.redhat.com/security/updates/classification/#important
--------------------------------------------------------------------------------
These packages are GPG signed by Red Hat for security. Our key and details on how
to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at
http://www.redhat.com/security/team/contact/
[***** End Red Hat RHSA-2008:0235-4 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Red Hat for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update